How to lookup a user’s current Active-Directory site

Posted on March 13, 2013

Curious what site you're in?

nltest /dsgetsite

Why is w3wp.exe CPU utilization is high – Exchange is slow – Active-Sync 2010 and iOS diagnostic tools

Posted on August 28, 2012

Microsoft is aware and working on a known issue relating to iOS devices causing high CPU utilization on Exchange Servers. The exact cause seems to bounce all over the place, in general is related to Active-Sync and how the iPhone communicates with the Exchange Server. The issue is challenging. Their direct recommendation is to ensure all devices are up-to-date. A single remote active-sync device can each up 90+% of your system resources.

The good news is there are now scripts available to help you isolate the specific device(s) causing the issue.

I suggest you read this article thoroughly:
http://blogs.technet.com/b/exchange/archive/2012/01/31/a-script-to-troubleshoot-issues-with-exchange-activesync.aspx

To make life a bit easier, use the following steps.

1) If you find that your CPU utilization is rammed, verify that you see the following process causing the issue:

By default some of these columns are not shown.
To load them, head to the "View -> Select Columns"  

Make sure both items in RED match your own process list.
If they are not identical, you are not dealing with the same issue.

2) Download the PowersShell Script: http://gallery.technet.microsoft.com/scriptcenter/ActiveSyncReport-script-a2417a84

Save the script with your other exchange scripts located under "c:\program files\microsoft\exchange servers\v14\scripts" 

3) Download and Install the LogParser: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24659

4) Load the Exchange Management Shell and change directory to "c:\program files\microsoft\exchange servers\v14\scripts" 

Now that you're in the scripts folder ([PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>), we can start hunting down the source of your issue. Before we do, you should be aware that the script you are about to run can take 2-5 minutes to complete (depending on the size of your IIS logs). It will count the number of 'hits' a device has sent to your server. Anything over 1000 hits is high, anything over 1500 is very high.

Let's start by checking EVERY log against every device. This should give us a general idea of those who have excessively high hits over a long period of time. The following line will save the report to "C:\EASReports", the minimum hits we are looking for is => 1000, and the result should be saved to and HTML viewable report.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -Minimum Hits 1000 -HTMLReport

Building Log Parser Query...

Found time-taken in the IIS Log, adding this column.
Gathering Statistical data
Running Log Parser Command against the IIS Log(s): C:\inetpub\logs\LogFiles\W3SVC1\*.log

Statistics:
-----------
Elements processed: 24083868
Elements output: 1342
Execution time: 402.31 seconds (00:06:42.31)

Generating the Minimum Hits Report.
Building Log Parser Query...
Running Log Parser Command against the CSV results to determine Minimum hits of 1000

Statistics:
-----------
Elements processed: 1342
Elements output: 566
Execution time: 0.02 seconds

LogParser Command finished CSV, File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.csv
Creating HTML Output...
HTML File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.html

 If you open this log for review (c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.html) you will see something similar to:

Take note to the DeviceID and Hits columns. In this particular example, I see 5 very devices that are clearly communicating with the exchange server excessively. Using the device ID, we can drill down further into that specific device and find out how many hits per hour. Make sure to use the DeviceID from the table above in the line below.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -deviceID <DEVICEIDHERE> -hourly -htmlreport
Building Log Parser Query...
Found time-taken in the IIS Log, adding this column.
Gathering Statistical data for device: <DEVICEID>
On a per hourly basis.
Running Log Parser Command against the IIS Log(s): C:\inetpub\logs\LogFiles\W3SVC1\*.log

Statistics:
-----------
Elements processed: 24087512
Elements output: 3083
Execution time: 154.74 seconds (00:02:34.74)

LogParser Command finished CSV, File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.csv
Creating HTML Output...
HTML File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.html

If you open this log for review (c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.html) you will see something similar to:

That's a lot of hits! This post was made on August 28th, and we can see on the 26th they were clearing 6000+ hits per day from this device. At this point, you should contact the user and update the iOS device to the latest version. After it's updated, watch it closely. Don't forget to check the other 5 devices on this list with high hits. It could be more than one device causing the issue.

5) The odd exception 

The first report we ran includes hits from all logs. What about recently added devices (say 1 week ago) that haven't had time to register huge numbers? For example, in the first report we saw 100,000+ hits on the first 6 devices. What if we added a new device 1 week ago that was registering 5,000 hits per day? It would only show up as 30,000-40,000 hits.

While checking the highest hits is always a good idea, you should also check the last few days individually. The example below includes a date variable (8-28-2012), modify as necessary.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -MinimumHits 1000 -date 8-28-2012 -HTMLReport

The resulting report will show you devices on the specified date that have hit over 1000 hits. This will help you isolate a more accurate daily breakdown.

 

Happy hunting!

Active Directory Login failure on Blackberry Administration Server (BAS) – The username, password, or domain is not correct. Please correct the entry.

Posted on July 24, 2012

Logging into BAS can fail if DNS records are incorrect or stale.
Before we get into that, I highly recommend you look through your BAS logs to analyse the error.

1) Try to login to the BAS admin service using your LDAP/Active-Directory credentials several times. This will register a few errors in your logs that you can track down.
2) Head to: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\Logs\(TODAYS DATE)\
3) Open the log file that starts with "SERVERNAME_BBAS-AS-" (Make sure it's the most recently modified version!)
4) Scroll to the bottom and look for lines that start with "(XX/XX XX:XX:XX:XXX):{http-"

(XX/XX XX:XX:XX:XXX):{http-URL.COM%2F10.100.1.36-3443-5} [com.rim.bes.basplugin.activedirectory.LDAPSearch] [INFO] [ADAU-1001] {u=SystemUser, t=30847} performPagedLDAPSearch problem performing LDAP operation: url=ldap://ldapserver.domain.com:3268 base= filter=(&(objectClass=user)(objectCategory=person)(|(sAMAccountName=besadmin)(userPrincipalName=besadmin))) scope=2

If you see a message similar to this, BAS is trying to grab a Kerberos ticket and your DNS is causing errors.

Resolution:

1) Load your Active-Directory DNS management console.
2) Verify that you have reverse DNS setup for the entire domain. You require PTR records (reverse dns records) for each of your domain controllers. If you don't have them, FIX THIS!
3) Verify that you have no stale records pointed to decommissioned or retired domain controllers. Drill down into each DNS folder and confirm the hostname and IP match your current infrastructure. It's amazing how many stale records we find.
4) Once repairs are made to the DNS settings, right click the server name in the DNS management and "clear cache"

Reboot your BES server just for fun, and try to login.

Sending vCard – “You can’t send a message on behalf of this user unless you have permission to do so … ” – Outlook 2010

Posted on December 12, 2011

If you run into this message while trying to forward a vCard using Outlook 2010 (likely 2007 as well), you are dealing with a hidden x400 "FROM" address inside the contact metadata. When a contact is created, outlook will cache the "from" address and reference it instead of the actual account being used to send. You will see this when contacts are imported and exported between exchange services, and apparently POP3 as well.

Sadly, there are only 2 resolutions and neither of them are global.

1) When you see the “FROM” field appear while forwarding a contact, manually click "From" -> "other e-mail address" -> and choose your name from the list.
This will change the “from” address to your correct address, hit send, and life is good.

2) You can manually create new contacts and copy the information from the old to the new.
DO NOT right click and copy a contact, you need to make a new contact and copy each field over individually.
If you copy a contact, it will transfer the x400 metadata.
I strongly feel this is a bug and Microsoft should look at removing the reference to the old address.

 

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes.

Posted on October 7, 2011

I ran into a unique situation where removing an exchange database was testing my sanity and I definitely want to post the solution for anyone else that runs into the same issue.

Here's the scenario: Exchange 2010. You are looking to move all mailboxes out of a particular database. After moving all the mailboxes you request exchange to remove the database through the EMC or shell, when suddenly:

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database <Database ID>. To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Archive. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Arbitration. To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID>. To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID> -Archive. Arbitration mailboxes should be moved to another server; to do this, run the command New-MoveRequest <parameters>. If this is the last server in the organization, run the command Disable-Mailbox <Mailbox ID> -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox. Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan <MailboxPlan ID> -Database <Database ID>.

As you are a brilliant IT wizard, you immediately remember to check if you moved all the archive and arbitration mailboxes.

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes" -Archive
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes" -Arbitration
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes"

No results are returned ... why does exchange think there are mailboxes left inside?
Good question!

When the database removal request begins a validation process is completed to ensure no user mailbox attributes are linked to the database. In very rare instances, you may find a particular attribute has failed to update or be reset and thus ... it fails. In our particular case, an existing mailbox had the "online-archive" feature removed and during the process, the "msExchArchiveDatabaseLink:" attribute was still referencing this old database. So how did we find it?

Easy!

1) Load the command prompt and run "dsquery * domainroot -attr * -limit 0 > results.txt"

This will dump the attributes for every object in AD to a text file you can search through.

2) Open the text file with notepad and search for a unique string from your database name. In our case, "Testing" worked out great from "Staff & Testing mailboxes"

3) We found the single attribute that was causing the removal process to think there were still active mailboxes in the database.

msExchArchiveDatabaseLink: CN=Staff & Testing Mailboxes,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=XXXXXXX,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=XXXXXXX,DC=XXX

If you look directly above this row, you will find a few values that will help you identify the user account in question that has this attribute set.
In our case, we found these records a few lines above:

sAMAccountName: jon
userPrincipalName: jon@doe.com
mail: jon@doe.com

Now we know which user has a reference to the old database, and which attribute.

4) Load ADSIEDIT.MSC and browse to the user object under the default naming context. Right click the object, properties, scroll down until you find "msexcharchivedatabaselink" and clear it. After you save it should be "<not set>".

If you're not familiar with ADSIEDIT, open it, choose the default naming context and you will be provided with a list of objects similar to your active directory users/computers. When you find the user that had the bad link, right click their object and select properties. Within is a fantastic list of all sorts of attributes ... including the one you need to change (msexcharchivedatabaselink).

BE CAREFUL USING ADSIEDIT ... you can do SERIOUS damage. You've been warned!

After you reset this value, try removing the database again and you should find success. If not, run the dsquery again and look for other objects referencing the old database.

 

Some other things to mention ... although likely not necessary ... during the process, I also:

- Deleted the System Mailbox record for this database using the DSQUERY Results and ADSIEDIT ... not sure if this was another contributing factor to the success.

- With SP1, mailboxes are moved and the existing copy is left in the old database as a disconnected "SoftDeleted" status. I manually removed these as well, not sure it this was another contributor factor to the success.

If you want to remove all disconnected mailboxes from a database, run the following command

Get-MailboxStatistics –Database “dbname” | Where-Object {$_.DisconnectReason –eq “Disabled”} | ForEach {Remove-StoreMailbox –Database $_.database –identity $_.mailboxguid –MailboxState Disabled }

If you want to remove all soft-deleted mailboxes from a database, run the following command

Get-MailboxStatistics –Database “dbname” | Where-Object {$_.DisconnectReason –eq “Softdeleted”} | ForEach {Remove-StoreMailbox –Database $_.database –identity $_.mailboxguid –MailboxState Softdeleted }

Thanks to: http://www.howexchangeworks.com/2010/09/purge-disconnected-or-soft-deleted.html
For the softdelete info!

(BES) Blackberry Enterprise Activations – SMTP/Whitelist for in-bound activation e-mails

Posted on March 14, 2011

When adding a new user to your Blackberry Enterprise Server, a very specific e-mail is sent to the user's inbox with an activation password. The e-mail is NOT sent locally within your network. Your local BES server will issue the request through one of the many external blackberry servers housed all over the world. To ensure the mail arrives, add the following networks to your spam whitelist to allow delivery.

IP Address Netmask
206.51.26.0 / 24 255.255.255.0
193.109.81.0 / 24 255.255.255.0
204.187.87.0 / 24 255.255.255.0
216.9.240.0 / 20 255.255.240.0
93.186.16.0 / 20 255.255.240.0
68.171.224.0 / 19 255.255.224.0
206.53.144.0 / 20 255.255.240.0
67.223.64.0 / 19 255.255.224.0
74.82.64.0 / 19 255.255.224.0
173.247.32.0 / 19 255.255.224.0
178.239.80.0 / 20 255.255.240.

If you do not whitelist these networks and you do filter spam, don't say we didn't warn you!

Send-As anyone or Bypass Anti-Spam agents for a single mailbox using extended-rights with Exchange 2010

Posted on December 13, 2010

Roaming SMTP Solution for Exchange Servers

Looking for a quick and efficient method to allow roaming POP3 users or remote equipment to send e-mail from anywhere in the world? Typically ISPs block port 25 (SMTP) and force customers to send through their own SMTP servers to prevent spam, but realistically how painful is it to consistently find the new SMTP server information and change your settings every time you change networks? I think not ...

Our common solution for the roaming user is to open a separate SMTP port (generally 587 or 2525) and allow them to send from anywhere. As these users require authentication to send, you need to update the advanced settings on their POP3 profile to use the same username / password when sending, and change the SMTP port to either 587 or 2525 (which ever you chose). Simple and efficient.

What about network devices without actual mailboxes? For example: a network scanner or scheduled task which relies on no POP3 account?

Instead of creating a separate mailbox for every device, why not share one?
By default, if the incoming sender address does not match the address of the mailbox, you will be given "550 5.7.1 Client does not have permissions to send as this sender".
Here's how the fix that issue:

1) Forward external port 2525 or 587 on your firewall to port 25 on your exchange server
2) Create an exchange mailbox to be used for sending (ie. deviceSMTP) and use a complex password
3) Load the Exchange Management Shell
4) Choose the default receive connector for port 25

Get-ReceiveConnector

mailserver\Client Mailserver {0.0.0.0:2525, :::25, 0.0.0.0:25} True

4) Apply extended rights to the user you created to allow any-incoming authenticated users to send as an alternative address

Get-ReceiveConnector "mailserver\Client Mailserver" | Add-ADPermission -user "<user you created>" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Sender"

5) Set your network device to use authenticated SMTP, enter the username/password you created, select port 2525 or 587.

Happy sending!

Bypass Anti-Spam agents for a specific mailbox

If your organization has a mailbox that requires unfiltered/un-protected mail, you can use extended rights to bypass the spam agents.

Get-ReceiveConnector "mailserver\Client Mailserver" | Add-ADPermission -user "<mailboxname>" -ExtendedRights "ms-Exch-Bypass-Anti-Spam"

Exchange 2010 SP1 – Exporting mailboxes to PST or another mailbox or mailbox folder

Posted on December 1, 2010

Just a quick note that several changes to the export features built into Exchange 2010 have been revised in SP1. The following are quick commands to help you get it done quickly.

1) Export a mailbox directly to a PST file

New-MailboxExportRequest -mailbox {mailbox} -FilePath \\server\folder\mailbox.pst

This will export the entire mailbox to a location and file name of your choice.

2) Export a mailbox directly to another mailbox

New-MailboxExportRequest -mailbox {mailbox} -FilePath \\server\folder\mailbox.pst
New-MailboxImportRequest -mailbox {newmailbox} -FilePath \\server\folder\mailbox.pst

This will export/import the entire mailbox contents to an alternative mailbox. Existing data located in the destination mailbox will be merged with the incoming data.

3) Export a mailbox directly into a unique folder in another mailbox

New-MailboxExportRequest -mailbox {mailbox} -FilePath \\server\folder\mailbox.pst
New-MailboxImportRequest -mailbox {newmailbox} -FilePath \\server\folder\mailbox.pst -targetrootfolder "Mailbox Contents"

This particular process is extremely useful when employees are terminated or leave the organization.

If you would like to review the progress of your imports or exports, use:

get-mailboxmoverequest | fl

Outlook 2010 does not automatically send/receive with Exchange account

Posted on November 25, 2010

One of our clients recently reported an issue with a hosted exchange account failing to send/receive automatically. On pretty much every hosted exchange or mapi exchange account Outlook will begin to send immediately. This is a nice feature and requires no manual intervention hitting "send/receive" on a regular basis.

This particular issue normally calls for the following checks:

- Disable antivirus/security suites
- Ensure the outbox is not loaded with extra large messages that delay sending
- Verify connectivity between client and server (ping/telnet is generally sufficient)
- Verify if send/receive works manually
- "Outlook /safe" to disable add-ins or extensions and test

Followed by the more aggressive actions:

- Delete the mail profile and re-create
- Complete a repair install of Office
- Completely remote office and re-install from scratch

What happens if you're still stuck?
You can then proceed to the first thing you should have checked (unlike me):

Outlook -> File -> Options -> Advanced -> Send and Receive -> Turn on "Send immediately when connected"

How the customer managed to turn this off is one of life's grand mysteries. I should mention that even after re-installing Outlook/Office from scratch, this setting did not default back to factory settings. In recent versions of Outlook, preferences are stored as a convenience should you ever re-install. I would love to see the Microsoft team to release an outlook command line switch to reset outlook to factory defaults.

Blackberry Enterprise 5.0.2 available with SIRKit Hosted Exchange 2010 packages

Posted on September 24, 2010

Blackberry Enterprise Express 5.0.2

Order Now: http://www.sirk.ca/services/hosted-services/exchange/2010/